make v6 logging work; add weasel ip; fix brain damage

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/ferm/files/defs.conf b/modules/ferm/files/defs.conf
index b78b9abf95183685073ecb07adf90397611d54a6..61284b65c23b63592909b9c99e28de05e7b0befd 100644 (file)
--- a/modules/ferm/files/defs.conf
+++ b/modules/ferm/files/defs.conf
@@ -26,7 +26,7 @@
 @def $DSA_IPS = ($sgran $weasel $zobel $luca);
 
 @def $sgran6     = (2001:4b10:100b::/48);
-@def $weasel6    = ();
+@def $weasel6    = (2001:41b8:202:deb:216:36ff:fe40:3904);
 @def $zobel6     = ();
 @def $luca6      = ();
 @def $DSA_V6_IPS = ($sgran6 $weasel6 $zobel6 $luca6);

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index ff458597e4f574f4c9a717d0ce4b1a5fb1cfb8ea..8229ff80d36bd40734729198f92cafc806e78f44 100644 (file)
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -7,19 +7,39 @@
 
 @include 'conf.d/';
 
+domain ip {
+        table filter {
+              chain log_and_reject {
+                      ULOG ulog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name ulogreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
+                      mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second ULOG ulog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+domain ip6 {
+        table filter {
+              chain log_and_reject {
+                      LOG log-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name logreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
+                      mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second LOG log-prefix "DROP: ";
+                      DROP;
+              }
+        }
+}
 domain (ip ip6) {
-       table filter {
-             chain log_and_reject {
-                     ULOG ulog-prefix "REJECT: ";
-                     proto tcp REJECT reject-with tcp-reset;
-                     REJECT;
-             }
-       
-             chain log_or_drop {
-                     mod hashlimit hashlimit-name ulogreject  hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second jump log_and_reject;
-                     mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 30 hashlimit 15/second ULOG ulog-prefix "DROP: ";
-                     DROP;
-             }
+        table filter {
               chain INPUT {
                       policy DROP;
                       mod state state (ESTABLISHED RELATED) ACCEPT;